Just-patched Java, IE bugs used to snare human rights sites

Reporters without Borders is latest site used in "watering hole" campaign.

The website belonging to non-governmental organization Reporters Without Borders is the latest to be hit by attacks that use the recently patched Java and Internet Explorer vulnerabilities to surreptitiously hijack computers of visitors, security researchers said.

The compromise comes a week after similar attacks successfully commandeered sites belonging to major Hong Kong political parties, Jindřich Kubec, a security researcher with antivirus provider Avast, wrote in a blog post published Tuesday. It's most likely another example of a "watering hole" attack, in which attackers target the sites their victims are likely to visit, in much the way predators position themselves near a river or lake bed to lie in wait for thirsty prey.

"Such an organization is an ideal target for [a] watering-hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites—many Tibetan, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation," Kubec wrote. "In our opinion the finger could be safely pointed to China (again)."

An analysis of the code running on the site shows that it queries the systems of each visitor, looking for a version of Microsoft's Internet Explorer browser or a browser plugin for Oracle's Java software framework that hasn't been updated. The attack code that's loaded when a vulnerable system is identified uses one of those vulnerabilities to silently install a remote access trojan that allows the attackers to monitor communications and update the malicious software.

Promoted Comments

While everyone is a target, these "watering hole" vectored attack seems to follow the classic lines of real world espionage with definite targets. These targets do tend to lend credence to this attack being state-sponsored or initiated.

Unfortunately, as news reporting becomes a portfolio career (freelance working for more than one publication), most journalists that use a site like Reporters Without Borders, are their own IT support, as well as their own billing department, marketing department, collections department, etc. This leaves them particularly vulnerable to ever-evolving hacking attacks.

17 Reader Comments

This is getting really sad/boring. Lately it seems to be at least once a week some serious Java bug leads to a system exploit. Can we just decide that Java (in the browser) is completely insecure and anyone who uses it is asking for trouble. Then write an article once (if ever) it actually becomes secure.

This is getting really sad/boring. Lately it seems to be at least once a week some serious Java bug leads to a system exploit. Can we just decide that Java (in the browser) is completely insecure and anyone who uses it is asking for trouble. Then write an article once (if ever) it actually becomes secure.

That would be nice if so many sites didnt use it... We have bank, finance, remote access application, and HVAC controls that all utilize Java... It is getting real old having to deploy locked down VMs just so people can work...

At this point I could care less what Oracle does, but these sites need to STOP using java for their reports, or app controls... Use it server-side, thats great, and works well... but get rid of the need for clients....

Things are sooo bad that when I have local admin rights (at work for example, or I would not be able to do much....) I remote into a hosted server running the latest OS and latest browser with no add-ons whatsoever, with browser security set to high, log in with a non privileged account, and I surf the web from there. No it isn't bullet proof, but it is an improvement, and I don't care if this server gets owned because I haven't got any data on it.

Things are sooo bad that when I have local admin rights (at work for example, or I would not be able to do much....) I remote into a hosted server running the latest OS and latest browser with no add-ons whatsoever, with browser security set to high, log in with a non privileged account, and I surf the web from there. No it isn't bullet proof, but it is an improvement, and I don't care if this server gets owned because I haven't got any data on it.

Trust no one.

This seems really.....absurd. Have you thought about just using firefox+noscript?

While everyone is a target, these "watering hole" vectored attacks seems to follow the classic lines of real world espionage with definite targets. These types of targets do tend to lend credence to this attack being state-sponsored or initiated.

Unfortunately, as news reporting becomes a portfolio career (freelance working for more than one publication), most journalists that use a site like Reporters Without Borders are their own IT support, as well as their own billing department, marketing department, collections department, etc. This leaves them particularly vulnerable to ever-evolving hacking attacks. It wouldn't be a surprise if these attacks are producing valuable intelligence to those behind them.

This is getting really sad/boring. Lately it seems to be at least once a week some serious Java bug leads to a system exploit. Can we just decide that Java (in the browser) is completely insecure and anyone who uses it is asking for trouble. Then write an article once (if ever) it actually becomes secure.

That would be nice if so many sites didnt use it... We have bank, finance, remote access application, and HVAC controls that all utilize Java... It is getting real old having to deploy locked down VMs just so people can work...

Rather than deploying VMs, have you considered the click-to-play feature modern browsers are rolling out? Disabling Java globally and enabling it only on *.mybank.com is a good way to reduce the risk, although far from perfect as the topic of this article shows. I would at least hope a few people would be suspicious if something suddenly changed to require Java.

Things are sooo bad that when I have local admin rights (at work for example, or I would not be able to do much....) I remote into a hosted server running the latest OS and latest browser with no add-ons whatsoever, with browser security set to high, log in with a non privileged account, and I surf the web from there. No it isn't bullet proof, but it is an improvement, and I don't care if this server gets owned because I haven't got any data on it.

Trust no one.

This seems really.....absurd. Have you thought about just using firefox+noscript?

No and no.

IE with tracking protection and filtering turned on is better than noscript. If you don't think so then you haven't tried it.

Besides, I get to have a local browser set to default settings to test websites and to do online banking and whatnot, and then a separate paranoid browser in an RDP session. RDP can be full screen, or you can use remoteapp. With enough bandwidth it behaves just like a local app, but with all the liability offloaded to a remote machine with no connectivity to the one I sit at. If the browser application itself gets owned, and it can, the trojan will be running on a remote machine off my LAN with no data on it to compromise. It's brilliant solution, actually. I'm sorry you think it's bizarre. It isn't.

This seems really.....absurd. Have you thought about just using firefox+noscript?

No and no.

IE with tracking protection and filtering turned on is better than noscript. If you don't think so then you haven't tried it.

Besides, I get to have a local browser set to default settings to test websites and to do online banking and whatnot, and then a separate paranoid browser in an RDP session. RDP can be full screen, or you can use remoteapp. With enough bandwidth it behaves just like a local app, but with all the liability offloaded to a remote machine with no connectivity to the one I sit at. If the browser application itself gets owned, and it can, the trojan will be running on a remote machine off my LAN with no data on it to compromise. It's brilliant solution, actually. I'm sorry you think it's bizarre. It isn't.

But c'mon, I mean.. it's a little bizarre.

But hey, if it's just as responsive as a local app, then sure why not? Whatever floats your boat.

I'm curious though, what is this "tracking protection and filtering"? Does it include disabling Javascript and plugins by default? That's by far the most important part, since almost all infections from browsing happen through those. In fact, if you have scripts off by default, keep everything updated, and use some sort of domain reputation checker, you'll be safe from like 99% of untargeted attacks.

While everyone is a target, these "watering hole" vectored attacks seems to follow the classic lines of real world espionage with definite targets. These types of targets do tend to lend credence to this attack being state-sponsored or initiated.

Unfortunately, as news reporting becomes a portfolio career (freelance working for more than one publication), most journalists that use a site like Reporters Without Borders are their own IT support, as well as their own billing department, marketing department, collections department, etc. This leaves them particularly vulnerable to ever-evolving hacking attacks. It wouldn't be a surprise if these attacks are producing valuable intelligence to those behind them.

This post could hardly be more true. I myself have worked with one specific, unnamed, reporter in the past to help them secure their digital information, as well as helping to provide them with methods of securing their communications.

Reporters who travel over-seas and in war-torn states are at a real risk to self for the sake of freedom of information. Reporters without Borders, is more of a target than other organizations due partially to the freelance nature of reporting, partially to the wikileaks effect of having a centralized release platform for data. The individual I worked with was doing investigative reporting in an area of the world where guerrilla attacks were carried out regularly by would-be warlords. Journalism was white-washed by the government to keep control, and suppressed by the terror groups through fear.

I taught about security-in-depth, layered encryption, hidden file systems, secure deletion/wiping "data destruction techniques", VPNs and Proxy-chains. Most of the information was very "user-land" (As in how to use these methods.) But as with any journalist they did want a basic understanding of the how and why it works.

Long story short, they came home a few months later, they were published, they did not have any unexpected or unwanted bullet holes in them, and maybe, they did some good; important thing is, their story got out, and the information machine keeps moving.